FutureQuest, Inc. FutureQuest, Inc. FutureQuest, Inc.
Knowledgebase: Password Protection
Password protected page asks me to login twice?
Posted on 31 January 2004 02:24 AM

I have created a password protected directory on my web site, but it asks me for the password twice (or more). Why does it do this? I am entering the correct information both times.


The reason you are being asked for the password more than once is due to one of two issues:

1) You have images linked from a different URL within the same protected realm.

For example, you access your site with:
http://example.com (without the 'www')

and your images are linked with:

http://www.example.com (with the 'www')

In the case above, the browser sees these as two distinct URLs. There is never a guarantee that the 'www' subdomain necessarily maps to the same web site or even the same server, thus the browser has no reason to assume that it should send your password to this other URL. If it happens that the other URL goes to a different web server, you would probably not want your password being revealed to the unknown source.

Note that this applies not only to images, but also to "externally" linked style sheets, JavaScript files, applets, or anything that the browser must download as a separate request.

2) You might have more than one protected area under the same "realm", or AuthName. The AuthName specifies the realm and browsers save authentication information based on both the domain and the realm. If two areas on the same domain have the same realm, by specification they should require the same login information - thus logging into one area wipes out the saved information for another area of the same realm.

Note: If you are using the CNC to password protect more than one directory, you will need to manually edit the .htaccess files it creates in order to change the AuthName directive on one of them. The CNC by default uses the same AuthName for all password protected areas.

See the following tutorial for help with editing your .htaccess file:
Password Protection: Automagically

For further reference, you may wish to visit this security primer:
It explains some of the above issues and much more in a lot more detail. Particularly, section 3 covers the AuthName directive: